Allied Telesis AR300 series Network Router User Manual


 
14 Release Note
Software Release 2.3.1
C613-10325-00 REV B
Paladin Firewall Enhancements
The existing firewall NAT performs address translation for traffic passing
between a pair of interfaces. With Software Release 2.3.1, firewall rules can also
be configured which selectively perform address translation on sessions
passing through an interface, based on the properties of the session (protocol,
ports, IP addresses). In addition to standard NAT and enhanced NAT rules, it is
possible to configure reverse NAT (translates destination address of outbound
packets, and source address of inbound), double NAT (translates both source
and destination addresses) and subnet variations of these which translate
addresses from one subnet to another. Reverse enhanced NAT can also be
configured, by applying an enhanced NAT rule to a public interface. Reverse
enhanced NAT allows multiple inbound sessions to appear to devices on the
private LAN as if all the sessions have come from the same private interface IP.
A rule can be given a limited time to live (TTL) in hours and minutes, after
which it will no longer be applied and all sessions allowed by the rule will be
deleted.
These features allow a service provider to bill multiple users, and provide each
of them with customised, time-limited secure connections from multiple sites.
For examples of their use, see “Web Redirection with Reverse NAT Rules” on
page 18 and “Further Examples” on page 19.
As in previous releases, the Paladin Firewall requires a special feature licence.
(Note that routers already configured to use Paladin do not require a new
password.)
Interface-based NAT
The existing interface-based NAT provides a simple address translation for
traffic passing between a pair of interfaces. The following methodologies are
supported by interfaced-based NAT:
Standard NAT
This translates the addresses of private side devices to addresses suitable
for the public side of the firewall (source address will be translated for
outbound packets, destination address for inbound packets).
Enhanced NAT
This translates many private side addresses into a single global address
suitable for use on the public side of the firewall (source address will be
translated for outbound packets, destination address for inbound packets).
Rule-based NAT
The new rule-based NAT provides advanced address translation based on the
properties of a packet received on a particular firewall interface. Selector values
such as source address, destination address, protocol type and port number
(TCP/UDP) determine which packets undergo translation. The following
methodologies are supported:
Standard NAT
This translates the addresses of private side devices to addresses suitable
for the public side of the firewall (source address will be translated for
outbound packets, destination address for inbound packets).